Mobile electronic devices can provide you with a large amount of insight and control over your business data and infrastructure. They are small, portable, and powerful tools that are rapidly transforming how different business sectors operate. Unfortunately, the very qualities that make them valuable to businesses also make them valuable targets for criminals.
Mobile devices create so many physical and network security challenges because they’re a point of convergence for security programs. They create security vulnerabilities in both your physical and network environments.
Does the need to decide how to improve your mobile device management feel overwhelming? In this article, we explain the top five mobile security challenges you’re likely to face today and how you might address them in your organization.
Mobile devices, like smartphones, tablets, and laptops, can be provided by the company or by employees as part of a bring your own device (BYOD) program, where employees use their personally owned devices for business functions. The analytics firm Hexa Research found that the global BYOD market in 2014 was $94.2 billion worth of mobile devices. That market is expected to grow to $350 billion by 2024, a 378 percent increase.
Could a BYOD program make sense for your organization? That depends on your specific business needs and security risks.
Allowing staff to bring their personally owned devices to work reduces the organization’s direct costs of purchasing equipment. It also reduces many indirect costs, such as training, because employees are already familiar with their devices. Employees often prefer BYOD programs, because they permit more flexibility in device choice and the ability to carry a single device for both work and personal needs.
Centralized management and security are much harder to perform when the organization doesn’t own the assets. BYOD programs can increase the risk of compromise or of corporate data being exposed to attackers. The organization’s ability to enforce hardware standards and lifecycles is also limited, because replacement devices are purchased on the employees’ schedules, not the organization’s.
The greatest benefit and also the greatest liability of mobile electronics is their portability. By design, these devices are built to easily move around worksites and across their physical and network security perimeters. Users expect these devices to be just as connected and useful outside of those perimeters as within. These qualities create many mobile security challenges.
If a device is compromised off-network, even if it is never brought back inside your physical perimeter, an attacker still has access to your corporate IT systems. That means hackers have a virtual foot in the door. Competent hackers can pry that door open to launch lateral attacks across your network at more valuable targets.
Clearly, mobile device security needs to be covered by your company’s overall physical security program. Let’s look at some specific challenges you’re going to face in securing mobile devices, as well as some potential solutions for those challenges:
The primary reason there are so many mobile security challenges is that these devices are both physical and network assets. They can move across the security perimeters you’ve set but in very different ways. For example, a mobile device could be outside of your physical control but still connected to your internal servers and corporate data. The reverse is also true. Someone can be on a mobile device inside your facility and connected to malicious network resources in the outside world.
Know when, where, and how your mobile devices will be used. Restrict access and use to only authorized functions on corporate devices. This requires a combination of mobile device management software and a smart asset management system for corporate-owned mobile devices.
Mobile devices can create leaks in your network security, which allow corporate data out onto the wider internet. Data loss can occur due to a security compromise, malicious behavior, or just human error.
Corporate data and personal data mix if personal use is permitted on business devices (which is a given when you have a BYOD program). It can be difficult to disentangle one set of data from the other when an issue arises. For example, if an employee leaves your company, how can you be sure they’re not taking any regulated or confidential data with them on that device?
Apply a combination of physical and network data loss prevention (DLP) practices. These include:
Mobile devices are at risk of theft because they hold a lot of value in the secondary market. Hackers also want to steal mobile devices connected to corporate networks to launch more effective attacks. Password cracking and other breach methods are much simpler to perform with a device in hand, as opposed to over the internet.
Physical security is as important for your mobile devices as network security is. The basic security features in consumer mobile devices are insufficient to protect against a determined attacker. PIN codes in particular are notoriously easy to crack.
You need to implement strong access control on any device connected to your network, no matter whether corporate-owned or BYOD. With mobile device management software, you can require longer PIN codes or passcodes, enforce multi-factor authentication, and enforce other IT security policies like device encryption.
You should also consider whether better physical access control might be beneficial. A smart storage system can generate a digital paper trail so you always know who signed out which corporate device and when. You can pull reports at any time to audit usage for potential problems.
At best, you’ll be faced with a host of slow, poorly performing devices when staff are permitted to use whichever device they own for business use. At worst, these older devices will create unnecessary security vulnerabilities. That can happen if staff purchase off-brand electronics or older, used devices that are out of the manufacturer’s support lifecycle.
Much like with computer operating systems, mobile device manufacturers stop releasing stability and security updates after a certain period. When hackers find a new vulnerability in older mobile software, that can put a bull’s-eye on your staff’s older BYOD devices.
Set a lifecycle and support policy for your business to deny older devices access to your network. This is much easier to enforce when you require the use of corporate-owned devices. For example, your smart management system can refuse to unlock certain devices if managers flag them as missing a critical update, or if they’re out of lifecycle and waiting to be collected by IT for disposal.
A variety of different network attacks can target mobile devices and their users, including phishing campaigns, malware, and data harvesting attacks. These attacks are not unique to mobile devices, but hackers are increasingly targeting mobile devices with them. The IT security firm Kaspersky Lab analyzed data from their mobile security apps and found that attacks on user data on mobile devices increased 167 percent over 2018 and 2019. They expect this trend to continue in coming years.
Endpoint security software can help, but targeted attacks often seek to gain control of a device by first targeting the user, not the technology. Therefore, security training is essential.
Create a security-first culture within your organization. Train users to challenge anyone who seeks to enter your facility or gain access to personal or corporate data without showing credentials. Train them to recognize specific threats to mobile devices.
Controlling how mobile devices move inside your facility, over your network, and across your security perimeters is the best way to manage the risks associated with their use. That control requires a combination of training, policies, IT security, and physical security tools. Consider whether the mobile security program you develop can benefit from the inclusion of a smart locker security and management system.
Download our Best Practices for Physical Asset Management guide today to learn more about securing your organization’s mobile devices.